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Modern society is built on software—it connects people to 
their friends and family, enables businesses to operate more 
efficiently and securely, and underpins the global economy. In 
the response to the COVID-19 pandemic, software was essential 
in enabling remote learning, working, and healthcare. Software 
is also shaping our future, driving 5G wireless networks, the 
Internet of Things (loT), blockchains, and artificial intelligence. 


As our digital transformation continues, it is imperative that enterprises and 
policymakers consider cybersecurity from the outset, as well as how these 
technologies can support broad and inclusive growth, as they develop and 
deliver the secure products and services that improve our lives. 


Importantly, digital transformation is not solely about “ones and zeroes” 
but building stronger communities. The enterprise software industry 
supports good-paying jobs of the future in industries far beyond the 
technology sector; for example, as the BSA Foundation found, in the US 
alone, “In 2020, software supported more than 15.8 million jobs in total— 
an increase of 5.9 percent since 2018.” 


BSA is the leading advocate for the global enterprise software industry, 
and BSA members create the software products and services that power 
enterprises and improve lives around the world. They offer software 

that generates efficiencies and promotes trust and security, including 
cloud computing, customer relationship management, human resources 
management, and identity and access management products and services. 
Businesses trust BSA members to securely handle their most sensitive 
information, and BSA members’ business models do not depend on 
monetizing consumers’ personal data. 
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BSA identifies the following priorities and offers policy recommendations 
for governments around the world to consider when seeking to improve 
cybersecurity. 


Robust Software Security 


Managing software security risks must be a continuous improvement process because modern 
software, frequently delivered as a service, is commonly patched and improved daily and 
because adversaries continuously improve their tactics, techniques, and procedures. Industry 
has developed valuable tools and best practices that any organization can use to accelerate its 
improvement, including the BSA Framework for Software Security, a flexible, outcome-focused 
approach mapped to best practices and international standards. 


BSA SUPPORTS 


» Evaluating software security, including application security, using a lens of continuous 
improvement that considers (a) the development process, (b) built-in capabilities, and (c) 
lifecycle management. In contrast, laws and policies built on point-in-time assessments, 
such as labels or software bills of materials, can be a part of a broader program to improve 
cybersecurity but have limited value and may provide a false sense of security, particularly for 
cloud services. For further information on secure software approaches and methodologies, see 
the BSA Framework for Software Security. 


» Using public-private partnerships to design laws and policies that improve software 
cybersecurity risk management rather than only creating a compliance mindset and 
accompanying checklists. 
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Cybersecurity for Emerging Technologies 


Developing and harnessing emerging technologies requires strong cybersecurity. Just as a 
house built on a weak foundation will eventually crumble necessitating costly repairs, emerging 
technologies built without actively managing cybersecurity risks will face a similar fate. These 
innovations could bring transformational benefits, but require sufficient upfront security 
investments to help ensure emerging technologies do not serve as entry points for cyberattacks. 


BSA SUPPORTS 


» Developing laws and policies that are risk-based and appropriately tailored to allow for 
innovation, as well as deliver concrete cybersecurity improvement, and limit unintended 
consequences. 


» Advocating 5G networks designed, built, operated, and updated with cybersecurity as a 
primary concern, while ensuring laws and policies promote competition. 


» Leveraging automation to improve cybersecurity by, for example, enabling cybersecurity 
experts to more effectively focus on high-value tasks. 


» Managing cybersecurity risks to the supply chain and loT through a holistic approach, built on 
best practices and international standards where applicable. For more information on supply 
chain security and loT, see BSA's white paper Building a More Effective Strategy for ICT Supply 
Chain Security and BSA Policy Principles for Building a Secure and Trustworthy Internet of 


Things. 


Modernization of Government IT and Cybersecurity 


Supporting governments by providing secure, trusted, and effective solutions is what BSA 
members do. By improving their own IT and cybersecurity, governments can improve the entire 
cybersecurity ecosystem. 


BSA SUPPORTS 


» Investing in the long-term security of government IT and cybersecurity, which will, over the 
medium and long term, save resources and better protect citizens. 


» Improving government cybersecurity by migrating to cloud services, and implementing strong 
identity and access management practices, such as using zero trust architecture and multifactor 
authentication as many organizations have prioritized, including the US Government through 
the Executive Order on Improving the Nation's Cybersecurity. 


» Advocating laws and policies that provide flexibility to ensure short-term government 
improvements do not ultimately result in governments receiving products and services that do 
not keep pace with the state of the art. 


» Assisting state or provincial and local governments in modernizing their IT and improving 
their cybersecurity, including through financial support from national governments, as state 
or provincial and local governments often lag behind both private-sector organizations and 
national governments. 


» Streamlining procurement processes and requirements to eliminate those that create undue 
burdens or do not concretely advance cybersecurity. 
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Interoperable Cybersecurity Laws and Policies Across Borders 


Investing to ensure compliance with laws and policies constrains an organization's ability to 
invest in improving cybersecurity. Many countries have, or have proposed, laws and policies that 
require overlapping or duplicative requirements. For example, laws and policies requiring labels 
for software or loT devices necessitate resources to implement that could be better invested in 
cybersecurity. Further, some countries’ requirements are either not aimed at or do not have the 
effect of improving cybersecurity, but rather function as non-tariff trade barriers, such as many 
cloud security certifications; in such situations, the requirements harm the security of customers, 
countries, and the entire digital ecosystem. 


BSA SUPPORTS 


» Aligning laws and policies, for example those that require or propose to require incident 
reporting, so that, rather than spending resources on compliance, organizations can invest to 
improve cybersecurity. 


» Ensuring cybersecurity laws and policies improve cybersecurity and are not, in reality, non-tariff 
trade barriers. 
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An Effective Cybersecurity Workforce 


Building a secure future is not possible without developing an effective cybersecurity workforce. 
Increasing the pipeline of workers with the skills to meet government's and industry's demands is 
critical to continued economic growth. Importantly, many cybersecurity jobs do not require post- 
graduate, four- or even two-year degrees but can be completed by people who have earned 
applicable certifications. Fortunately, many people of all ages and from all walks of life have the 
aptitude and interest to learn these valuable cybersecurity skills. 


BSA SUPPORTS 


» Broadening opportunities, improving training programs, and expediting the development of 
the diverse workforce needed to secure our shared future. 


» Promoting alternative paths to cybersecurity careers, for instance through apprenticeship 
programs, community colleges, “boot camps,” and public service, and establishing mid-career 
retraining programs to provide workers with high-demand cybersecurity skills. 
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